Linksys Velop Broadband Routers Can Leak Passwords in Cleartext UPDATE
Owners of the Linksys Velop Pro 6E and Pro 7 mesh routers, which are also used by some broadband connected consumers in the UK, are being advised to change the router’s passwords and Wi-Fi network names through an external web browser. The requirement comes after it was alleged that the models could transmit passwords in cleartext during the initial setup.
The issue was first discovered by a Belgian consumer organization, Testaankoop, which found that, during initial setup, both the Velop Pro 6E and 7 were allegedly transmitting the end-user’s SSID (WiFi network name) and passwords in cleartext (unencrypted) to an Amazon hosted server in the USA (we don’t know if they mean the admin or WiFi password, but it could be both). User session access tokens and database identification tokens were also transmitted.
The issue was discovered in firmware version 1.0.8 MX6200_1.0.8.215731 for the Wi-Fi 6E router and 1.0.10.215314 for the Wi-Fi 7 device. But exploiting this would admittedly require a Man-in-the-Middle (MITM) style attack, one with good timing.
Advertisement
Since then there has been an additional patch, but there’s no mention in the release notes of whether this includes a fix for the problem and Techspot claims that Linksys still hasn’t publicly acknowledged the issue. Testaankoop says they reported the vulnerability to Linksys in November 2023 but got no response, which doesn’t exactly inspire confidence in the company’s approach to device security.
In the meantime, the best course of action, if you have one of these routers, is to change your passwords (WiFi and router admin) and WiFi network names. But you should do this using a web browser on a PC / MAC or mobile device and NOT via the accompanying Linksys app to prevent the changes from being sent unencrypted.
UPDATE 3:48pm
A spokesperson for Linksys has been in contact to inform us that they “take security very seriously” and have “conducted a thorough review and can confirm that none of the models being deployed by any of the Service Providers in the UK are affected by this alleged vulnerability. This assurance extends to our current products as well as any units that have been deployed by Service Providers in the past.”
Advertisement
However, the statement only covers ISP supplied routers and doesn’t clarify whether the aforementioned retail models have been patched, or if Linksys are disputing that a vulnerability even exists. We have requested further clarification on these points and will report back. But Linksys did say that they would be sending out an official press release next week to provide further details and reinforce their commitment to product security.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« TRATOS Acquires Swindon Based AFL Telecommunications Europe
People really should replace the stock routers as soon as possible for something better. Year in, year out, the same poor quality firmware and lackadaisical attitude to security.
My current setup is OPNsense firewall router, with Unifi switches and access points. Though for most folk something out of the new Unifi Ultra range or Amplifi mesh setup should be good enough. I have also heard good things about TP-Link’s prosumer ranges.
Last word of advise keep the router supplied in a box, ISPs won’t troubleshoot if you don’t have their stock router connected.
you make it sound like opnsense or ubiquiti have not ever had vulnerabilities or bugs of their own.
ubiquiti are also the number one brand name among people who think they know more than they actually do (as is evident when broadband forums like these show people complaining about being ‘throttled’ etc – when it’s actually misconfiguration)
ISP supplied devices are not necessarily bad, and for 99.9% of users will work absolutely fine for their needs, without spending hundreds or thousands of pounds on equipment that doesn’t actually given a corresponding increase in performance or security or reliability.
Linksys Velop units are not really stock routers, they are just devices that some IPS supply, you can pick them up from Amazon if you want to. Not that Linksys is a big name in home routers these days. TPlink and Asus have knocked them off the perch.
As for router security, there have been a few over the years, it happens sadly.
The other sad part is that most people would not have a clue how to change the password, so they certainly would not have a clue about getting another router.
I agree with Ivor, most routers supplied by ISPs are pretty good and will do the job for the majority of people, apart from the one my ISP supplies.
Whilst the Unifi gateways are quite nice devices for the price, I’d be hesitant to recommend one to the average user, most people just want a plug and play solution and hence stick with whatever router the ISP sends.
There’s even a lot of people who think Internet = Wi-Fi there’s no way one of them are likely to have the expertise needed to set up something like a UBNT gateway or 3rd party router, if you asked them what their PPPoE credentials were they’d not have a clue what you were talking about.
Agreed – Unifi or 3rd party routers are not really designed for the average consumer, imo – The average non tech person can barely setup an ISP router, let alone something like that, Like if I asked my parents to put the virgin media superhub in modem mode, she wouldn’t have a clue where to start
I believe the only Ubiquiti product that comes anywhere close is their Unifi Express
Ivor says:
“you make it sound like opnsense or ubiquiti have not ever had vulnerabilities or bugs of their own.
ubiquiti are also the number one brand name among people who think they know more than they actually do (as is evident when broadband forums like these show people complaining about being ‘throttled’ etc – when it’s actually misconfiguration)”
Maybe working as an operations engineer for a large US tech corp I actually do know what I am talking about? Yes I am well aware that everything get bugs from big Juniper switches to the cheap as chips routers that come from most ISPs. The difference is the response to the bugs.
“Since then there has been an additional patch, but there’s no mention in the release notes of whether this includes a fix for the problem and Techspot claims that Linksys still hasn’t publicly acknowledged the issue”.
A company that takes this attitude is unprofessional and untrustworthy. This is why I recommend people swap out.
As for your point about misconfiguration of routers, it can be problem, the thing to remember there, is to save your configuration before changes and rollback if things go pair shape. I don’t change stuff or even care about it if it isn’t affecting me.
name says:
“I believe the only Ubiquiti product that comes anywhere close is their Unifi Express”
My recommendation for just about everyone’s domestic needs
Every device manufacturer with software embedded is going to face some kind of defect or vulnerability at some point during the lifetime of their product. They might get really lucky and a defect or vulnerability is never discovered, but when something is discovered and it needs an update how the manufacturer responds to the issue is what matters.
It appears that Linksys have so far opted for obscurity over transparency which is never a good sign.